A steady stream of intrusions against hospitals, pipelines, water utilities, school districts, and municipal governments has pushed cybersecurity out of the IT department and into civil defense. The threat actors range from criminal ransomware crews to state-linked groups to hybrids that blur the distinction. The common feature is that software-mediated critical infrastructure inherits software's vulnerability profile, and that abundance of attack tools has outpaced abundance of defense capacity in most jurisdictions.
The new threat surface
Electrification, digitization, and remote monitoring — all abundance-era wins — enlarge the attack surface at the same time they enlarge the economic surface. A hospital whose electronic records, imaging, and infusion pumps are networked delivers better care and is simultaneously easier to paralyze. The answer is not to de-network but to build defensive depth proportional to the dependency.
What abundance-era defense looks like
Emerging good practice includes secure-by-default software supply chains, memory-safe languages for new critical code, mandatory incident reporting, sector-specific information-sharing organizations, cyber-insurance discipline on minimum hygiene, and public-interest red teaming. Verifiable Identity and strong authentication deployed broadly (not just for elites) foreclose entire attack classes. See ARPANET to Internet for the historical arc of networks getting defenses retrofitted.
Civil-defense framing
Treating cybersecurity as civil defense implies public investment comparable to fire services and public health, not just private risk management. It also implies that attacks on hospitals and water utilities should be treated as attacks on civilians under the relevant legal frameworks — a normative claim that international bodies have partially articulated but not consistently enforced.
Open questions
Whether AI assistance tilts the offense/defense balance toward defenders (better code review, anomaly detection) or attackers (cheaper exploit development, more persuasive phishing) is genuinely unresolved. Nor is it clear how small municipalities and rural utilities can sustainably reach the defensive floor the threat environment demands.